<tr><td valign="top"><b>Objective:</b></td><td>Provide cursory background information on XSS and refer to the Guide for more indepth coverage. This section should provide practical advise and real-world code examples for developers. If you would like to see coverage of a web framework that's not listed, please add it!</td></tr>

<tr><td valign="top"><b>Objective:</b></td><td>Provide cursory background information on XSS and refer to the Guide for more indepth coverage. This section should provide practical advise and real-world code examples for developers. If you would like to see coverage of a web framework that's not listed, please add it!</td></tr>

Current Tasks

Ideas

Please submit your ideas for the OWASP Java Project here (you can sign your ideas by adding four tilde characters like this ~~~~)

It would be useful to have a library of J2EE security resources on the web. In addition to URLs, I think these should have short summaries that explain what the resource is about. I've clicked on far too many "J2EE Security" links only to find that the article is about implementing access control in Tomcat.

A tool that automatically generates a security policy for a given application could be useful. The tool is first run in learning mode where it maps all the accesses that the application attempts and then generates a policy based on those access attempts. Status: tool sent to Stephen.

Design considerations

Objective:

Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost.
Any other security concerns that should be addressed during the design phase should also be mentioned here.

Status:

Call for volunteers

Contributors:

Reviewers:

Architectural considerations

EJB Middle tier

Web Services Middle tier

Spring Middle tier

Noteworthy Frameworks

Objective:

Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level, for example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.

Java Security Basics

Objective:

Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.

Status:

Outline development

Contributors:

Shyaam Sundhar

Reviewers:

Rohyt Belani, Stephen De Vries

Class Loading

Bytecode verifier

The Security Manager and security.policy file

Input Validation

SQL Injection

Objective:

Provide cursory background information on SQL injection and refer to the Guide for more indepth coverage (no need to duplicate info in the Guide). This section should provide practical advise and real-world code examples for developers. If you feel that a popular persistence framework is not covered, please add it!

Cross Site Scripting (XSS)

Objective:

Provide cursory background information on XSS and refer to the Guide for more indepth coverage. This section should provide practical advise and real-world code examples for developers. If you would like to see coverage of a web framework that's not listed, please add it!

Status:

This is going to be included in the common frameworks article that Rohyt and the E&Y team are working on.

Contributors:

Reviewers:

Overview

Prevention

White Listing

Manual HTML Encoding

Preventing XSS in popular Web Frameworks

JSP/JSTL

Struts

Spring MVC

Java Server Faces

WebWork

Wicket

Tapestry

CSRF attack

LDAP Injection

Objective:

As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing LDAP injection.

Web Services Security

Objective:

Discuss securely implementing Web Services using Java technologies. Examples using specific frameworks are welcome. The topic list is a bit light at the moment, please add more topics if they're relevant.

Status:

Call for volunteers

Contributors:

Reviewers:

SAML

(X)WS-Security

SunJWSDP

XML Signature (JSR 105)

XML Encryption (JSR 106)

Code Analysis Tools

Objective:

The introduction should cover the advantages and short comings of code analysis tools. An overview of the current state of the art and the available tools would go well here. As a start, only open source tools are listed, but if vendors of commercial tools adhere to the Tutorial guidelines, these submissions will be gladly received.

Securing Popular J2EE Servers

Objective:

Practical step-by-step guides to securing various J2EE servers. Examples of secure configurations can also be provided for download. If configurations are provided, they should be properly commented so that the rationale for configuration settings is clearly explained. Users of the configurations should be provided with enough information to make their own risk decisions.

This is a proposed section that seems to be a good place to put articles that don't fit into some of the other categories. Jeff Williams 17:41, 30 June 2006 (EDT)

Using Eclipse to verify Java applications

Using Findbugs, PMD, Metrics, NCSS, jLint to find flaws and bugs

Using WebScarab to find vulnerabilities in J2EE applications - is there anything that would be specific to J2EE apps here? Wouldn't using webscarab apply to all web apps? Stephendv 07:14, 17 July 2006 (EDT)